Welcome to NBlog, the NoticeBored blog

Jan 30, 2006

The above go.microsoft.com link in a Microsoft Partner Programme email redirects to a Security Assessment Tool hosted at www.SecurityGuidance.com. The domain looked a bit odd to me so I checked on whois the domain registration details. The domain belongs not to Microsoft but Ziff-Davis ... which seems rather odd for a Microsoft branded page and a Microsoft security tool. The 'tool' itself appears to consist of a questionnaire about visitors' security arrangements, exactly the kind of information someone with malicious intent might want. The FAQ on the site notes that Microsoft has a relationship with Ziff-Davis, but why should I trust the information on a dubious website? My advice FWIW - steer clear.More security awareness links

A SecurityFocus article picks up on the possibility of rootkits in the computer's BIOS. The same principle applies to rootkits in video BIOS and network card BIOS. The thing about these locations is that a reboot won't clear them, nor will a normal complete system rebuild - not even a new hard drive will clear them ... unless, that is, the code in the BIOS is just a stub, a loader for the main payload on disk. Given that the machine BIOS, by its very nature, gives low level access to the hardware, it is conceivable that a stub could load the remainder from another BIOS store, or from a normally inaccessible area on disk (such as a sector marked bad). More [anti-]hacking resources

Jan 29, 2006

A backdoor in a mainstream security product could certainly be considered a bug. The product is Cisco Security Monitoring, Analysis and Response System (CS-MARS) (CS-MARS) up to version 4.1.2 and the backdoor is an undocumented user ID with a default password giving access to the root fully-privileged administrator ID. Doh! The access was deliberately inserted allegedly for “advanced debugging purposes” - fair enough maybe but why on Earth did it end up in shipped code, and in a security product at that?!More links on Bugs!

The latest NoticeBored Classic module covers something dear to my heart - Bugs! Having suffered bugs in almost every program I've ever used, the Bugs! module is a chance to get a few things off my chest. Read about the benefits and constraints of software development quality assurance and testing processes, and catch up with the patching treadmill.New links page on Bugs! here

Jan 28, 2006

The US Federal Trade Commission reports on the 685,000 complaints of fraud and identity theft they received during 2005, costing consumers an average of just under $1,000 each (yes, that's a whopping $680m!). Just under half the complaints were Internet related, slightly down on recent years. Identity theft was slightly more common than 2004 but again slightly down as a proportion of the total. Perhaps information security is starting to have a positive effect?More IT-related fraud resources

Jan 26, 2006

A new US CERT Cybertip covers 'hidden threats' such as Rootkits and Botnets. The Cybertips neatly summarize common information security issues for ordinary computer users - not geeks. More "virus" links

The Guardian newspaper reports that British Members of Parliament were specifically targeted in what looks like a spear-phishing attack. Thankfully, the Parliamentary security systems seem to have foiled the attack but other victims may not have the same level of protection. What's interesting about spear-phishing is that the classic pattern-matching antivirus tools may prove ineffective if the attackers create or use virgin never-before-in-the-wild malware specifically for these attacks. The implications are horrific.More malware links here

Jan 23, 2006

In an interesting interview by Tony Bradley, Ed Skoudis said: "Given that many organizations have dramatically improved the patching process, we now face an even more difficult problem: user awareness. With targeted phishing and Trojan horse attacks, an unwitting user can be duped into running an attachment, surfing to a happy-looking-but-evil website, or entering information into a form that pops up on the screen. Such attacks represent a real threat to most organizations. And the real problem here is summarized well in that wonderful T-shirt: 'Because there is no patch for human stupidity' Our entire culture needs to come to terms with the risk of computer crime and how to identify and avoid its common forms. Pretty much everyone that uses computers has to learn about e-mail and website con jobs, phishing, Trojans, viruses, and other scams." Hear hear Ed!More awareness resources

Jan 14, 2006

It appears that some BBC DJs are illegally copying and using digital copies of music despite a new music licensing scheme in the UK, and of course the Copyright Act. The BBC news story fails to mention how many non-BBC DJs are also breaking the law in this fashion but judging by the number of remote control joggers I see on the streets, it must be quite a few.More Intellectual Property Rights links

Jan 13, 2006

To help cement its move away from IT auditing towards IT governance, ISACA will no longer be known officially as the Information Systems Audit and Control Association. This is a bit like British Petroleum, British Telecom and British Airways becoming BP, BT and BA, respectively: some of us traditionalists still recall the original names and all that they once stood for. Some of us can tell the difference between Personal Computer and Politically Correct.More IT audit resources

Jan 11, 2006

An interesting global self-help initiative to counteract the 419 scammers has been launched by the South African police. It’s a kind of name-and-shame deal, with police and community backing lending some weight to their efforts to get scammer sites and services closed down. Awareness/education is a primary and very worthy aim.More IT fraud links here

Jan 9, 2006

SPI Dynamics, providers of software for testing web applications etc., publishes a range of useful white papers relating to software quality etc. Unlike some of their peers, the papers are provided free of charge with no strings attached - you don't need to register, sign up for their newsletter, supply a small DNA sample or otherwise jump through hoops. Just click, wait and read :-)

Jan 2, 2006

Information security aspects of third party relationships is the subject of January's NoticeBored Classic module. It points out the need for, and value of, numerous information security controls when dealing with business partners etc.